Opened 11 days ago

Last modified 9 days ago

#33705 assigned defect

Add header to redirect websites visitors using tor-browser to the .onion address

Reported by: hiro Owned by: hiro
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: isabela, stephw, sysrqb, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by hiro)

We have received a number of tickets by Tor Browser users that we should keep people visiting the .onion version of a website in the .onion space. Instead because we have different subdomains for different websites a user surfing the onion version of will be, for example, taken to instead of its onion address.

I am willing to implement a header that signal the .onion address for all of our onions and I am currently considering the following options.

  1. Implement alt-svc. This is what facebook does. Specifically the browser receive a alt-sv header like:
alt-svc: h2="facebook2futmrduts5uqn3ahwg4qyqoks6h3alxf5drhsgyhzujyqad.onion:443"; ma=86400
  1. Use onion-location:
Onion-Location: http://sbe5fi5cka5l3fqe.onion/~acat/test/onionlocation/header/
  1. Use a onion-location meta-tag:
<!DOCTYPE html>
    <meta http-equiv="onion-location" content="http://sbe5fi5cka5l3fqe.onion/~acat/test/onionlocation/meta/"/>
    Onion-Location meta tag test.

I would personally prefer to use one of the two headers options. Either the alt-sv or the onion-location one. Both have advantages. I like that with alt-sv the connection is upgraded to an onion location without the address bar changing. At the same time we should also showcase our onions! And if we launch the onion-location header support we should show it on our websites.

Something I would avoid is following the model that Privacy International use, and issue a "Location:" redirect when the client comes from an exit node. We currently do not check in our infrastructure where a user is coming from and I wouldn't like to start doing that.

Child Tickets

Change History (11)

comment:1 Changed 11 days ago by hiro

Description: modified (diff)

comment:2 Changed 11 days ago by acat

Technically you could have both, since they are independent. But I'm assuming we want to advertise the .onion address, let people bookmark it, etc., and that's not something you can do with Alt-Svc, so I think Onion-Location would be preferable.

comment:3 Changed 10 days ago by hiro

Yes I was at the beginning inclined to implement both. But there was a quick chat on #tor-dev and the idea was to pick either one of the two. I'd like to know what we prefer. I think we should showcase the .onion so onion-location would be ideal. Not sure others have other opinions.

comment:4 Changed 10 days ago by hiro

Cc: isabela added

comment:5 Changed 10 days ago by hiro

Cc: stephw added

comment:6 Changed 10 days ago by hiro

Cc: steph added

comment:7 Changed 10 days ago by hiro

Cc: sysrqb added; steph removed

comment:8 Changed 10 days ago by mcs

Cc: mcs added

comment:9 Changed 10 days ago by hiro

Description: modified (diff)

comment:10 Changed 10 days ago by antonela

Thanks for opening this ticket, hiro!

At the moment there is no standard to redirect users to onions. Thanks to our work with S27, we deployed some features in the Tor Browser, which improves the experience of users reaching onions. Given that it is the first time we are prioritizing onions in Tor Browser, we decided to prompt users the first time of use and allow them to opt-in to prioritize onions globally.

I hope that at some point, we can reach a moment where we can contemplate all stakeholder's needs and develop a standard for this TLS upgrade without messing around the domain naming business.

For now, onion-location seems a to go for Tor Browser users, and (if I'm not wrong), alt-svc will work in clients like Brave. The end-user experience will be a little different, but both options will serve onions.

I'm happy to learn about your pain-points implementing this. It will serve as material for our next iteration in this space.

comment:11 Changed 10 days ago by hiro

So should we implement both? Or only onion-location?

Note: See TracTickets for help on using tickets.